Rights of the Data Subject and its example

1. The right to be informed

When you are interviewed for a job, the company should not keep, process or collect your
personal data without you knowing or giving them consent to do so.

A medical doctor in a private hospital in Manila recorded a conversation with his lady patient
without the patient’s knowledge and prior consent. Upon realizing what was happening, the
patient immediately confronted the doctor and expressed her strong dismay, pointing out the
physician’s lack of professionalism in recognizing his personal right to privacy. She said she could
have given her consent anyway if only she was asked politely. The doctor apologized and
explained that his action was just meant to aid his recall, especially when he later examined the
case, saying he just wanted to provide the best possible service, which the patient deserves. The
patient, however, demanded the doctor to delete the recorded conversation and canceled on
the medical consultation. She said if the doctor does not even know the basic courtesy of asking
for consent, then how can he expect to win the patients’ confidence in his competence as a
medical practitioner.

2. The right to access

If you know that a company or an organization holds any personal data about you, you have the
right to ask them provide you a written description of the kind of information they have about
you, their purpose/s for holding them, the period for which the information will be stored, as
well as the recipients to whom the information may be disclosed.

An individual had been involved in an incident inside and outside a Manila restaurant where his
wallet was stolen. He also suffered minor injuries in the incident. He requested access to the
restaurant CCTV footage relating to himself, saying he wants to see all details surrounding the
incident and possibly figure out a way to recover his wallet. He tried to personally speak to the
manager but was referred to the security guard. After a few days of following up on his request,
he was finally informed that the establishment would not provide him any data. This infuriated
him and, upon going back to the restaurant, he demanded his right to view the footage or else
he would create a scene. He was told that, as per their security policy, no “outsider” is allowed
to enter areas in their establishment designated only as “for employees only”. As a compromise,
the manager said they will give him a record of the footage using the customer’s handheld
gadget.

3. The right to object

Any activity involving a data subject’s personal data without his or her consent is deemed illegal.
In case an organization ask for your consent to keep your data, you have the right to refuse, as
well as the choice to withdraw consent.
 The right to object is most specifically applicable when organizations or personal information
controllers are processing your data without your consent for the following purposes:
 Direct marketing purposes. When business organizations give you sales materials about
products and services, they must explicitly inform or remind you of your right to object. If you
feel uncomfortable to being target of a direct marketing campaign, you must be able to easily
invoke your right to object.
 Profiling purposes. Businesses customarily resort to profiling, or the creation of profiles of
individual customers and clients without their consent. This is done either for marketing or
customer care purposes. The cross-referencing of customer information to product marketing
brings about practical advantages to both the buyer and seller in any potential business
transaction.
 Automated processing purposes. In technology-driven industries, such as banking and finance,
many decisions affecting individuals are arrived at electronically via automatic data processing
systems based on personal information stored in computerized data files.

4. The right to erasure or blocking

“In Melvin v. Reid, 34 decided in 1931, for example, a homemaker, who had once worked as a
prostitute and who had been wrongly accused of murder, became the subject of a feature film
(“The Red Kimono”) seven years after her acquittal, based on the facts of her trial. Although not
specifically referencing a right to be forgotten, the court, permitting suit against the film-maker,
noted: “One of the major objectives of society as it is now constituted, and of the administration
of our penal system, is the rehabilitation of the fallen and the reformation of the criminal.” The
court held that the unnecessary use of the plaintiff’s real name inhibited her right to obtain
rehabilitation.”

5. The right to rectify

A government employee resigned from her agency with a period with premium payments of
20.49 years. The employee’s birthdate indicated in her Government Service Insurance System
(GSIS) records is 30 June 1959. However, her National Statistics Office (NSO) authenticated
Certificate of Live Birth shows 30 June 1952 as her birthdate. Her birthdate will determine when
she will start receiving her monthly pension – in 2019 if based on the GSIS record, and in 2012 if
based on her birth certificate. She, thus, invoked her right to rectify her personal data under the
Data Privacy Act of 2012.

6. The right to damages

“In October 2013, the Home Office published quarterly statistics about the family returns
process by which applicants who have children but who have no right to remain in the UK are
returned to their country of origin.

The Home Office uploaded anonymized statistics, but they also mistakenly uploaded a
spreadsheet of raw data on which those statistics were based. This spreadsheet contained
personal data and private information of approximately 1,600 individuals, including their names,
ages, nationality, the fact of an asylum claim, the regional office which dealt with their case and
their immigration removal status.
 This data remained online for nearly two weeks before it was removed but during that time the
webpage had been visited by IP addresses across the UK and abroad. As a result, a small number
of these individuals brought claims for misuse of private information and breaches of the Data
Protection Act 1998 (DPA).

The defendant accepted that their accidental publication of personal data amounted to a misuse
of private and confidential information and a breach of the DPA. It was not disputed that,
subject to proof, damages were recoverable for distress at common law and section 13 of the
DPA, unless Google Inc v Vidal-Hall is overturned.

The six individuals who brought the claims were awarded between £2,500 and £12,500 in
damages for misuse of their private information and the distress suffered as a result of the data
breach.”

7. The right to file a complaint with the National Privacy Commission

It affords a remedy to any data subject who “[feels] that [his or her] personal information has
been misused, maliciously disclosed, or improperly disposed,” or in case of any violation of his
or her data privacy rights.

European Union that had recently passed critical legislation that would guarantee that data
subjects get back control of their personal information.

8. The right to data portability

In case you want to close your Facebook account and leave the service, or simply feel like you’ve
shared a lot of information about your life and want a backup of all your Facebook data, you
may exercise your right to data portability.
You may also exercise this right if you intend to get a usable copy of your personal health
records for the use of other doctors you may like to consult. In banking, the right to data
portability may be used to reduce the risks of being locked-in with one single service provider,
thereby expanding customers’ options and improving customer experience.

“I affirm that I shall not give or receive any unauthorized help on this assignment and that all
work shall be my own.”